Help to determine if my system is compromised


#1

Help i just re-installed windows 10 on my laptop. And glasswire caught this
Since its a fresh install im worried the installation itself its affected
I want to make sure if this ia something i can or should fix, if i should do a ckean install again, or if its nothing. I runned Malwarebytes and windows defender, but none of them seems to catch anything.
This messages.appeares after i tried to delete a windows.old folder and couldnt get permission to do so. I dont know how it got there, since it is a clean install
Please help!

This is the info virustotal+glasswire got on “explorer.exe”
SHA256: afae363afbc03ced0715fa5c26f4e7273d1271cde81a1edcc3b8cb0a1f41671d

And this is the info virustotal+glasswire got on “systemsettingsadminflows.exe”
SHA256: 025057bb5f4a0e288024ec689acbe45c8a000967b8a61ccf1ad98683106a5f81


#2

VirusTotal is a file analysis tool, not an antivirus. It’s possible one of the engines it uses has a false positive. If you are installing Windows from an official source then I would not worry about this.

If you are installing Windows from an unusual source like a Warez site then I might worry.
https://www.glasswire.com/userguide/#Virus_Total


#3

That something thats part of windows could be related to a backdoor frightens me. Im getting real paranoid right now
I first installed windows from an iso that i got from the media creation tool, but whem installed windows 10 single language 1809 the service said my licence its invalid
So i got a new iso from the site on this image as it seems or seemed reliable coming from a Microsoft forum. And it approved my licence (which i got updating from windows 8 to 10) so i thought everything was going good.
The thing is i formatted the disk before installing, so there shouldn’t be any windows old folder in disk c. But there it is, and cant find a way to delete it. That seems strange enough.
Im asking because i want to know if i need to format again or not (since nor windows defender or Malwarebytes says theres any virus)

Thanks in advance


#4

I cannot see the entire URL, but if it’s really from Microsoft.com then I guess the ISO is probably OK and nothing to worry about. Please note though sometimes bad people will put microsoft.com as part of a longer URL that looks legit, but is not…

With VirusTotal it’s even possible that GlassWire itself gets false positive from malware engines they use, but we always contact these antivirus companies and let them know if false positives to help avoid this scenario.

So it’s not impossible that this is a false positive and if you downloaded from Microsoft.com I’d run Windows Update until you’re fully updated, then do a full antivirus scan and see what happens then.


#5

I did run a full scan with win defender and Malwarebytes. Although windows refuses to update to version 1809 and updated only to 1803.
Also, i run the offline scan on win defender and found out that its database its outdated. And since i cant update further than 1809, defender cant either.
But those antivirus dont found a single virus


#6

I don’t think that you have a real problem provided your Windows installation software was only downloaded from microsoft.com, as @Ken_GlassWire has already pointed out.

Threat detected?

I don’t see anything that suggests this a problem to be concerned about.

I wouldn’t worry too much about an isolated detection of an infections on VirusTotal. It is quite common for signature-based scans to be overly cautious or make mistakes, i.e. report a false-positive.

It would be a problem if the identified threat were a new one. Then the one or two detection reports is more likely to indicate that the other products just haven’t got onto it yet. But that is not the problem in your case because this is an old threat.

The “Yandex backdoor bladabindi” infection has been seen by Microsoft as early as 2013 and by other vendors for a few years, e.g. by Trend Micro since 2015. Therefore it is very likely to be picked up by any antivirus database from the past few years. Incidentally, Thend Micro don’t consider it be a high risk threat anyway.

Windows Defender

Regarding the possible threat, that’s also why you don’t have to worry about the Windows Defender database not being totally up-to-date. If it really were the Yandex backdoor infection then an old database would be expected to detect it too.


#7

This brings me a bit of calm. But since there is that windows old folder i decided to format again anyway. In this opportunity took my pc to a friend’s dad who is a pc tech, so he could install windows for me (just in case the iso i got its compromised).
When i get back my pc ill install glasswire again and will get back to you in case of any “malicious” detection. If it happens again, ill know for sure it was a false positive.
I was getting really paranoid here so i just got to take it to an specialist to get back to my senses. Just in case i gave him my external hdd to scan for any potential malware (malware that wasnt found by Malwarebytes or ein defender)
Thanks for everything untill now


#8

@A_T_M

Instead of paying for a specialist it could save you some money if you just do another HD reformat, then reinstall Windows again. This time just be sure you get it directly from the Microsoft website.

You can check the installer software hash from Microsoft before installing it if you are worried about a “man in the middle” type of attack. https://support.microsoft.com/en-us/help/889768/how-to-compute-the-md5-or-sha-1-cryptographic-hash-values-for-a-file

Just an idea to save your time and money…


#9

Next ill re-download the iso i used to install windows to check its hash.
The iso was windows home single language ver 1703 (from here the link in image). Since the 1809 iso from windows mediacreationtool gave me OutOfBoxRegionError and said my licence was invalid.
Thanks for the advice, but i believe i cant rely on the other pc its on my house (which i tried to clean from malware with the same antivirus i told you before) to download and burn something as important as windows. I need an specialist so it can install windows with the security of it coming from a clean environment.
Thanks
I’ll update you when i get back my pc


#10

I agree sometimes its a false positive especially with a fresh install. simply add it as exception and it won’t bother again


#11

So i got back my pc and now doesnt say a dungle thing about explorer or anything
Also, i read a littoe and discovered that when windows 1803 updated to 1809 it created the windows old folder
If then it was a false positive, now there is not a trace of a true or a false one. So my guess is it was comprimised.
Thanks for the help


#12

There is no reliable evidence that your system was compromised.

VirusTotal reported the detection result to the scanner owner so they could see that they were the only one reporting a problem with the file. Such false-positives are usually fixed quickly which will be why the same false-positive report isn’t made anymore.

See VirusTotal: How it works:

Upon submitting a file or URL basic results are shared with the submitter, and also between the examining partners, who use results to improve their own systems. As a result, by submitting files, URLs, domains, etc. to VirusTotal you are contributing to raise the global IT security level.
This core analysis is also the basis for several other features, including the VirusTotal Community: a network that allows users to comment on files and URLs and share notes with each other. VirusTotal can be useful in detecting malicious content and also in identifying false positives – normal and harmless items detected as malicious by one or more scanners.